This document provides instructions for developing an outline for an IT risk-mitigation plan. It involves identifying risks, threats and vulnerabilities across the seven domains of a typical IT infrastructure based on a previous qualitative risk assessment. The outline should prioritize risks and include short and long-term remediation steps. It should also define procedures and processes for ongoing risk mitigation. Creating the outline involves reviewing risks across the seven domains and developing a detailed outline with appropriate subtopics and sub-bullets for each domain.
Beyond the EU: DORA and NIS 2 Directive's Global Impact
44 Introduction Identifying and assessing risks is.docx
1. 44
Introduction
Identifying and assessing risks is challenging, but treating them
is another matter entirely.
Treating risks means making changes based on a risk
assessment and probably a few hard
decisions. When treating even the most straightforward of risks,
practice due diligence by
documenting what steps you are taking to mitigate the risk. If
you don’t document the change
and the reasoning behind it, it’s possible that your organization
could reverse the mitigation and
reintroduce the risk based on the notion of “but that’s how we
always did it before.”
After you’ve addressed a risk, appoint someone to make certain
that the risk treatment is being
regularly applied. If a security incident arises even with the
change in place, having a single
person in charge will ensure that any corrective action aligns
with the risk-mitigation plan.
2. You’re not appointing someone so you can blame that person if
things go wrong; you are instead
investing that individual with the autonomy to manage the
incident effectively. The purpose of a
risk-mitigation plan is to define and document procedures and
processes to establish a baseline
for ongoing mitigation of risks in the seven domains of an IT
infrastructure.
In this lab, you will identify the scope for an IT risk-mitigation
plan, you will align the plan’s
major parts with the seven domains of an IT infrastructure, you
will define the risk-mitigation
steps, you will define procedures and processes needed to
maintain a security baseline for
ongoing mitigation, and you will create an outline for an IT
risk-mitigation plan.
Learning Objectives
Upon completing this lab, you will be able to:
Identify the scope for an IT risk-mitigation plan focusing on the
seven domains of a typical
IT infrastructure.
Align the major parts of an IT risk-mitigation plan in each of
the seven domains of a typical
4. Upon completion of this lab, you are required to provide the
following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
46 | LAB #6 Developing a Risk-Mitigation Plan Outline for an
IT Infrastructure
Hands-On Steps
This is a paper-based lab. To successfully complete the
deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you
may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface
of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find
answers to these questions as you
proceed through the lab steps.
3. Review the seven domains of a typical IT infrastructure (see
Figure 1).
6. Hacker penetrates your IT infrastructure
and gains access to your internal network
Intraoffice employee romance gone bad
Fire destroys primary data center
Service provider service level agreement
(SLA) is not achieved
Workstation operating system (OS) has a
known software vulnerability
Unauthorized access to organization-
owned workstations
Loss of production data
Denial of service attack on organization
Demilitarized Zone (DMZ) and e-mail
server
Remote communications from home office
Local Area Network (LAN) server OS has a
known software vulnerability
User downloads and clicks on an unknown
e-mail attachment
7. Workstation browser has a software
vulnerability
Mobile employee needs secure browser
access to sales-order entry system
Service provider has a major network
outage
Weak ingress/egress traffic-filtering
degrades performance
User inserts CDs and USB hard drives with
personal photos, music, and videos on
organization-owned computers
Virtual Private Network (VPN) tunneling
between remote computer and
ingress/egress router is needed
Wireless Local Area Network (WLAN)
access points are needed for LAN
connectivity within a warehouse
Need to prevent eavesdropping on WLAN
due to customer privacy data access
8. Denial of service (DoS)/distributed denial of
service (DDoS) attack from the Wide Area
Network (WAN)/Internet
48 | LAB #6 Developing a Risk-Mitigation Plan Outline for an
IT Infrastructure
5. In your Lab Report file, organize the qualitative risk
assessment data according to the
following:
Qualitative Risk Assessment
for an IT Infrastructure lab in this lab manual.
vulnerabilities identified throughout
the seven domains of a typical IT infrastructure.
Fighting Fear
In the real world, some managers will accept risk rather than
make changes to mitigate it. If they offer up only vague
reasons for sticking with the status quo, then their decision is
likely based on fear of change. Don’t let their fear stop
you from treating the risk.
Here are two tips to fight a manager’s fear:
Prepare for your manager’s “What if?” questions. Example of a
9. manager’s question: “What if we apply the firewall but
it also stops network traffic we want, such as from our
applications?” Your answer: “We’ve tested nearly all
applications with the chosen firewall. And we’re prepared to
minimize unforeseen outages.”
Know, in concrete terms, what will happen if the risk is not
treated. Example of a manager’s question: “What is
supposed to happen that hasn’t happened already?” Your answer
will come from the risk assessment you’ve
performed, which will calculate the risk’s likelihood and
consequences.
6. On your local computer, open a new Internet browser
window.
7. In the address box of your Internet browser, type the URL
http://www.mitre.org/publications/systems-engineering-
guide/acquisition-systems-
engineering/risk-management/risk-impact-assessment-and-
prioritization and press Enter to
open the Web site.
8. Read the article titled “Risk Impact Assessment and
Prioritization.”
9. In your Lab Report file, describe the purpose of prioritizing
the risks prior to creating a
risk-mitigation plan.
10. In your Lab Report file, describe the elements of an IT risk-
mitigation plan outline by
covering the following major topics:
11. plan outline by inserting
appropriate subtopics and sub-bullets.
This completes the lab. Close the Web browser, if you have not
already done so.
50 | LAB #6 Developing a Risk-Mitigation Plan Outline for an
IT Infrastructure
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that
students must perform:
1. Identify the scope for an IT risk-mitigation plan focusing on
the seven domains of a
typical IT infrastructure. – [20%]
2. Align the major parts of an IT risk-mitigation plan in each of
the seven domains of a
typical IT infrastructure. – [20%]
3. Define the tactical risk-mitigation steps needed to remediate
the identified risks, threats,
and vulnerabilities commonly found in the seven domains of a
typical IT infrastructure. –
[20%]
4. Define procedures and processes needed to maintain a
12. security baseline definition for
ongoing risk mitigation in the seven domains of a typical IT
infrastructure. – [20%]
5. Create an outline for an IT risk-mitigation plan encompassing
the seven domains of a
typical IT infrastructure. – [20%]